Main menu

Post navigation

Checkpoint SSL VPN on Debian/Ubuntu

I’m currently in the middle of small-scale deployment for my company. We sell a managed-service, big-data platform. This usually consists of a mix of Hadoop, Elastic Search, Storm, and Kafka; but all of that is actually irrelevant to the current topic. The data center we are deploying in lives on VMWare and from the outside is locked down with the exception of a Checkpoint SSL VPN. I work for a massive and archaic company; seriously, we have 90,000 employees and we’re still using Lotus Notes for email. It’s like it’s 1997 again; and I can say that because I was doing IT in 1997 and remember deploying Lotus Notes in the Marine Corps. Given the nature of my company, it’s needless to say they are mostly a Wintel shop and are still trying to figure out how to deal with all of their startup acquisitions, like myself. My group, ie. what is left of our startup, is mostly a Mac shop. I personally use my Debian Linux desktop for most of my work because I honestly can’t stomach Windows, and would rather not deal with OS X. That being said, there were really no directions on how to get the Checkpoint SSL VPN working with my Debian Jessie/Testing desktop, or my Ubuntu laptop. So I did what any *nix geek would do and figured it out on my own with a little know-how and a lot of Googling.

First and foremost, the SSL Network Extender client requires Java. I prefer to use Chrome, however, as of Chrome 35.x.x, they phased out NPAPI plugins, which prevents Java from running, so Chrome was out. We use SecurID, so the command line install (SNX) was also not an option for me. If you are trying to use the Checkpoint SSL VPN Extender without SecurID, the SNX command line installer should work for you and seems to be fairly painless with the exception that it’s 32-bit, and requires 32-bit libs. Debian phased out the ia32-libs metapackage for 64-bit Debian and has made it difficult to run 32-bit applications on the 64-bit platform. Take it from my experience, be very careful when trying to have both 32-bit and 64 bit libs on your system, as some of them are just not able to coexist; but I digress.

Having ruled out the previous two options of Chrome and the SNX command line client, the next step would be Firefox with Java. If you used a repo to install Firefox on your Debian/Ubuntu box, then installing the icedtea-7-plugin should give you all the Java support you need. Given the extremely tight restrictions on the Debian repos, I used the repo from Linux Mint to install 64-bit Firefox. If you are running Debian, simply add the following:

I tried a number of Java configurations with Firefox, and ultimately none of the official Java distributions from Oracle would work; they kept crashing and/or causing errors. This resulted in a lot of empirical methodology till I found the best combination of packages to use, which resulted in the following:

apt-get install firefox icedtea-7-plugin libpam0g libstdc++5 libx11-6

This will install all you need to enable the Checkpoint SSL VPN Extender on your Debian/Ubuntu system. You need to be aware of which version of the browser you’re running; 64-bit Firefox will require 64-bit libraries, and vice-versa. Once again, let me stress how important it is that you are aware which version of Firefox and the OS you are running. Since the deprecation of the ia32-libs package, I have hosed my entire library system on two different occasions by installing the same library in both 32-bit and 64bit. When I initially tried to log in to the SSL VPN, I kept getting the error, “Failed to initialize.” This was due to a bad Java install. If you run into this, I would suggest purging all the packages above (in both 32-bit and 64-bit), manually removing any preexisting Java install, and reinstalling only the packages listed above. Getting Java to behave properly was, by far, the most painful piece of the this evolution. Although I did not have to do this, you may need to reduce your Java security level from High to Medium to get the expected outcome.

If you have any questions, concerns, or comment, please feel free to leave them in the comments section. It’s very possible I may have missed stating a requirement due to the fact I already had a working system with a multitude of lib packages installed; I will offer whatever assistance I can.